diff options
| author | marcel <marcel@FreeBSD.org> | 2013-05-31 17:30:12 +0000 |
|---|---|---|
| committer | marcel <marcel@FreeBSD.org> | 2013-05-31 17:30:12 +0000 |
| commit | 838ba827a2bbb59d8184419cf6632b7afa203afa (patch) | |
| tree | 32f1946d45e474d4549cfa15d61252bc176e3efd /contrib/telnet | |
| parent | 7627381cdbef5e612ab766bdb7d6e01c2219c861 (diff) | |
| download | FreeBSD-src-838ba827a2bbb59d8184419cf6632b7afa203afa.zip FreeBSD-src-838ba827a2bbb59d8184419cf6632b7afa203afa.tar.gz | |
Fix "automatic" login, broken by revision 69825 (12 years, 5 months ago).
The "automatic" login feature is described as follows:
The USER environment variable holds the name of the person telnetting in.
This is the username of the person on the client machine. The traditional
behaviour is to execute login(1) with this username first, meaning that
login(1) will prompt for the password only. If login fails, login(1) will
retry, but now prompt for the username before prompting for the password.
This feature got broken by how the environment got scrubbed. Before the
change in r69825 we removed variables that we deemed dangerous. Starting
with r69825 we only keep those variable we know to be safe.
The USER environment variable fell through the cracks. It suddenly got
scrubbed (i.e. removed from the environment) while still being checked
for. It also got explicitly removed from the environment to handle the
failed login case.
The fix is to obtain the value of the USER environment variable before
we scrub the environment and used the "cached" in subsequent checks.
This guarantees that the environment does not contain the USER variable
in the end, while still being able to implement "automatic" login.
Obtained from: Juniper Networks, Inc.
Diffstat (limited to 'contrib/telnet')
| -rw-r--r-- | contrib/telnet/telnetd/sys_term.c | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c index a7b0075..6d06b28 100644 --- a/contrib/telnet/telnetd/sys_term.c +++ b/contrib/telnet/telnetd/sys_term.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * @@ -1026,6 +1026,10 @@ void start_login(char *host undef1, int autologin undef1, char *name undef1) { char **argv; + char *user; + + user = getenv("USER"); + user = (user != NULL) ? strdup(user) : NULL; scrub_env(); @@ -1160,9 +1164,9 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) # endif } else #endif - if (getenv("USER")) { + if (user != NULL) { argv = addarg(argv, "--"); - argv = addarg(argv, getenv("USER")); + argv = addarg(argv, user); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { char **cpp; @@ -1170,17 +1174,6 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) argv = addarg(argv, *cpp); } #endif - /* - * Assume that login will set the USER variable - * correctly. For SysV systems, this means that - * USER will no longer be set, just LOGNAME by - * login. (The problem is that if the auto-login - * fails, and the user then specifies a different - * account name, he can get logged in with both - * LOGNAME and USER in his environment, but the - * USER value will be wrong. - */ - unsetenv("USER"); } #ifdef AUTHENTICATION #if defined(NO_LOGIN_F) && defined(LOGIN_R) @@ -1190,6 +1183,9 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) #endif /* AUTHENTICATION */ closelog(); + if (user != NULL) + free(user); + if (altlogin == NULL) { altlogin = _PATH_LOGIN; } |
